The Global Growth of Security Risk Management
The evolution of security risk management (SRM)
If you were to ask someone whether keeping staff safe whilst working overseas is important, they would, I hope, say yes. So why is the effective management of security risks rarely considered as a priority when projects are planned? Why, in some cases, are security professionals actively vilified?
“But we do good things, why would anybody hurt us?”
This assumption, on which many security strategies were once built, is no longer recognised as a universal truth. There are still, however, a number of image issues and perceptions about security risk management and the ‘average security manager’ that need tackling.
The way to keep staff safest is to lock them in the compound and not let them out, and countless stories exist about humanitarian teams that were unable to leave their compounds for months on end as it was considered ‘unsafe’ by security staff. Maybe this is where some of the perceptions about us come from.
ISO 31000 for Risk Management defines ‘risk’ as anything that prevents you from achieving your objective. A risk-averse security strategy that prevents an organisation from implementing its programmes is, therefore, a risk in itself.
I first came across the ex-pat ‘security officer’ while working in Afghanistan in 2003. At that time, the ones I met were mainly ex-military with little or no understanding of the humanitarian sector. But we have come a long way since then. ‘Hard security’ (barbed wire, high walls, convoys and protection measures), while still important, has taken a back seat. Security professionals now recognise skills and qualities, like analysis, communication, people skills and listening, as the most critical for being effective.
Security risk management is seeing greater recognition as a specific profession required in humanitarian response. We still have a long way to go when it comes to diversity (more on that later), but the profile and calibre of security staff are changing accordingly.
Effective security risk management comes from:
- proactively understanding the context and the threats that exist,
- understanding how staff, programmes and assets may be vulnerable to these threats,
- deciding whether the resultant risk is within the organisation’s risk threshold,
- identifying mitigating measures to treat the risk (before the organisation decides whether the residual risk is acceptable).
All done while considering the nature of the programmes being implemented.
Our role as a forum
Often, risk thresholds are the first stumbling block when it comes to effective SRM. Staff may be unclear on what the acceptable level of risk is for their organisation. At EISF (soon to be GISF – the Global Interagency Security Forum), a growing area of discussion with our members is around working with boards and senior management. In particular, getting them to understand what their duty of care responsibilities are, and how security risk management supports this.
Over the coming months, drawing on the experience of our members, we plan to develop materials that support this essential growth in governance approaches. More specifically, how an organisation identifies, articulates and implements an appropriate risk threshold.
As a forum, one of our strengths is our ability to gather good practice examples and experiences. The broad range of actors and experts in our network help us to create a ‘centre of excellence’ for security risk management – for all in the aid sector. Our access to global security leads from a wide variety of non-governmental organisations (NGOs) is unmatched. Because our members trust the space provided to share real-life challenges and lessons, others don’t have to re-invent the wheel, nor make the same mistakes that their peers have.
Looking to the future
This is where the transition from EISF to GISF becomes so exciting. We have always sought to gather input and experiences from as broad a range of actors as possible. Outside of the European pool, though, this has always been on an ad-hoc basis.
Now, with new members from North America and applicants from Asia and beyond, we have an opportunity to ensure that our work reflects a truly global perspective. We aim to bring this to both our practical guides and our original research pieces. With both being key aspects of GISF’s work, we’ll push the boundaries of how the aid sector looks at managing its security risks.
Diversity and inclusion
One of the highlights for me last year was being invited to present at the Security Institute Annual Meeting on the importance of diversity. This followed the publication of our research paper, Managing the Security of Aid Workers with Diverse Profiles, in 2018.
About halfway through my presentation about some of the issues created by the dominance of middle-aged, straight, white men in the security sector, I realised that this may not have been the wisest approach for an audience dominated by middle-aged, straight, white men. Thankfully, they took it well and it initiated some good discussions.
Even in the aid sector – where security professionals are diversifying – thought processes are still often dominated by the sector’s early security managers. One of the most obvious consequences of this is that the ‘average aid worker’ – around which security practices are built – reflects the image of the security professionals who started the work – i.e. a straight, white man. This can still be seen in the approach of many security plans and personal security courses (HEAT).
Working with local partners
As we continue to tackle these issues, EISF’s current research project – Partnerships and Security Risk Management: From the local partner’s perspective – is throwing up new, and sometimes unexpected, challenges. As donors and NGOs alike look to implement the Grand Bargain Localisation Agenda, we must make sure that local organisations have the support they need to protect their staff and programmes.
“The local staff are from here, so they understand the risks they face.”
This new ‘truth’ is circulating amongst International NGOs (INGOs). This may be true, but do local NGOs (LNGOs) have the capacity and resources they need to mitigate and manage the risks they face? Findings of the upcoming research suggest that this is currently not the case for many local organisations. For example:
- The way ‘risk transfer’ is commonly perceived by INGOs doesn’t capture nor resonate with the experience of LNGOs
- Local partners rarely know what SRM support they can ask for
- LNGOs avoid voicing their needs to INGO partners for fear that funding may be withdrawn
- The security risks faced by LNGOs’, as well as their capacity to manage them, are often neglected in partnership arrangements with INGOs
Since INGOs are poor at including SRM costs for their own programmes, it makes sense that they wouldn’t consider them for local partners. As GISF, we’ll continue to work with our members, partners and others in the sector to promote good practice and raise awareness. In particular, to better support those who bear the brunt of serious incidents against aid workers.
On the 9th April 2020, we will transition from EISF to GISF. We will continue to break down silos and strengthen our global centre of excellence on SRM for the humanitarian and broader aid sector. With the transition, we will gather input from a growing spectrum of experts from our membership and beyond. The more perspectives and knowledge we can gather, the stronger the foundation we can provide for organisations to improve their policies and practices. The better their policies and practices are, the safer their staff and programmes will be. We recognise that there is no ‘one-size-fits-all’ solution, and we look forward to continuing to work together to keep all staff safe.